Triton, BlackEnergy, WannaCry – Has Your Behavior Changed?

Image

Hopefully, the title of this blog has gotten your attention. In one of my prior blogs, ICS Cybersecurity: Visibility, Protective Controls, Continuous Monitoring – Wash, Rinse, Repeat, we talked about how the malicious threat landscape for industrial controls systems is constantly evolving and getting more sophisticated, thereby raising the need to have visibility, implement protective controls and perform continuous monitoring. In this blog, we will take a more detailed look at the attack vectors of some malware/malicious events like Triton that occurred over the last decade, including some attacks that did not target industrial control systems.

Image

Whether it be ransomware, malware or a targeted attack, each of these vectors need access to the environment. There are many ways for attackers to gain access; these events oftentimes involve phishing, stolen credentials, hijacking/infecting a transient device such as a laptop or USB flash drive or exploiting a vulnerability, etc. to name a few. While NotPetya and WannaCry had a massive impact on industrial environments in terms of negatively impacting productivity and financial results, these threats did not directly target industrial control system environments. It is still very important to have visibility within your control network to understand if such an event is occurring, and it’s essential to have protective controls in place that can mitigate their spread and potential impact. If we look at malicious behavior that actually compromised an industrial process, the same best practices around visibility, protective controls and continuous monitoring apply; they can help organizations detect malicious activity before the threat actor gains control of your industrial process. The image shown below outlines the phases of infiltration for a malicious “payload.”

Image

It’s important to not forget that attackers first need access to the environment, which is achieved by the following:

1. Obtaining a network communications path, i.e. “the way in” or “north-south traffic,”
2. The existence of a vulnerability or configuration weakness (e.g. default passwords)
3. An exploit to take advantage of a vulnerability and thereby gain access to the network communication path.

Once access is achieved, they perform discovery or reconnaissance on the environment to plan how they will eventually take control of something so that they can execute the damage phase. They will then try and remove evidence of their attack. In all of these phases, the one that takes the longest is the discovery/reconnaissance phase. Since it takes the longest, it gives those tasked with protecting industrial control environments the best chance to “see” that there are advisories roaming around their industrial control networks looking to cause harm. In the BlackEnergy attacks that affected Ukraine in 2015, the threat actor performed discovery for at least six months learning about the environment. That’s right, at least six months. During this time, they gained access to the business IT network, pivoted to the industrial control network and continued doing additional reconnaissance to learn as much about the environment as possible by looking for devices they could control to execute the damage phase. In this case, the damage phase involved remotely taking control of breakers in the substations, which ultimately resulted in a power outage. This behavior went undetected, inclusive of the summary of events and activities outlined below:

• Phishing emails – This is how the digital attackers gained access to the business/IT network.
• Malware – Bad actors embedded BlackEnergy3 malware into Microsoft Office documents, malicious files which led to the theft of user credentials via keystroke loggers.
• With user credentials, digital attackers achieved remote connectivity via VPN. They were able to move laterally within the environment, i.e. “east to west”, and blended in as “authorized” users.
• These malefactors then gained access to a separate network where Uninterruptable Power Supply (UPS) were scheduled to be disconnected during the outage, making power restoration more difficult.
• They hijacked HMI & SCADA systems and leveraged the HMI assets to open breakers in the substations.
• At that point, the attackers targeted field devices in substations. They uploaded malicious firmware to serial-to-Ethernet converters that disabled remote operation of devices in the substation.
• After performing an automated denial-of-service on call centers, the bad actors made Windows engineering workstations and SCADA servers inoperable with KillDisk, wiper malware which removes the Master Boot Record from the system so they are unable to be rebooted.

How would this situation have played out if there was visibility into the above behaviors, you might ask? Organizations would have been able to observe the following:

• Abnormalities
  • More users logging in through the VPN from non-normal remote locations and probably during non-normal times of the day.
  • Firmware being uploaded to a number of serial-to-Ethernet converters in the substation.
• Threats
  • Identification of command and control traffic from the propagation of malware.
  • Identification of all the engineering workstations infected with BlackEnergy3 malware
  • Identification of KillDisk’s installation on Windows workstations and SCADA servers.

In its analysis of the event in Ukraine, the Electricity Information Sharing and Analysis Center ((E-ISAC) provided the following recommendations:

1. Segment networks.
   1. Between business IT network and ICS network.
   2. Between the substations and the control center, i.e. north-south traffic.
   3. Within the substation and between substations, i.e. east-west traffic.
2. Ensure that device logging is enabled.
   1. Devices logs can provide valuable information relative to what the device is doing and how it is operating, i.e. was its firmware just updated, is someone trying to brute force attack an administrator’s password?
   2. These logs can act as a forensics engine relative to cyber security incidents and operational concerns.
3. Leverage managed switches to provide additional information through the use of mirror ports and device logging.
4. Prioritize and patch vulnerabilities.
   1. Know what high critical cybersecurity vulnerabilities need to be remediated.
   2. Patch if appropriate or implement protective control to mitigate risk until a patch can be applied.
5. Monitor high-value systems, i.e. engineering workstations and servers.
   1. Leverage file integrity monitoring tools to know what changed, who changed it and whether that change was authorized or expected.
   2. Monitor these systems for adherence to a cybersecurity configuration guideline such as IEC62443 or NIST SP 800-82 and remediate when configuration evaluation tests fail.

These threats are real. Whether it’s unintentional from ransomware like WannaCry or intentional from direct targeted attacks like the one in Ukraine, cyber is and will continue to be a battlefield in the future as more and more devices are connected to industrial networks. With what has happened over the last 10 years, has this changed your behavior? Do you have plans to enhance your visibility, deploy protective controls and continuously monitor your environment? It’s only a matter of time when the next unintentional piece of malware runs rampant in industrial environments or an adversary performing long-term reconnaissance in order to cause harm. To learn more about how Tripwire solutions can help with visibility, protective controls and continuous monitoring, all through data collection techniques that are non-intrusive to the industrial process, check out our industrial cybersecurity solutions at Tripwire Industrial Cybersecurity Solutions.